[Dovecot] STARTTLS problem
Hi,
We try to configure dovecot as usual (all our servers have dovecot+vpopmail+qmail or postfix). We set up dovecot with the next outcome:
- imap ok
- imaps ok
- imap STARTTLS NOT OK
Debug: root@s13:/home/lucas# gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. *** Starting TLS handshake
*** Non fatal error: Resource temporarily unavailable, try again. *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed
Same result with thunderbird and openssl. Log: Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [83.61.13.57] Feb 2 20:26:58 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [83.61.13.57] Feb 2 20:27:34 s13 dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [83.61.13.57] Feb 2 20:27:34 s13 dovecot: imap-login: Disconnected (no auth attempts): rip=83.61.13.57, lip=109.200.5.221, TLS handshaking: Disconnected
My config: # 2.0.9: /opt/dovecot/etc/dovecot/dovecot.conf # OS: Linux 2.6.32-27-server x86_64 Ubuntu 8.04 auth_mechanisms = plain login cram-md5 default_login_user = vpopmail disable_plaintext_auth = no first_valid_gid = 89 first_valid_uid = 89 last_valid_gid = 89 last_valid_uid = 89 listen = ip mail_debug = yes mail_gid = 89 mail_uid = 89 passdb { driver = vpopmail } plugin { quota = maildir:User quota quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u setting_name = quota, trash } protocols = imap pop3 service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service imap { process_limit = 1024 } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service pop3 { process_limit = 1024 } ssl_cert =
Any clue?
Thank you in advanced, Lucas
On Wed, 2011-02-02 at 21:28 +0100, Lucas -LandM- wrote:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. *** Starting TLS handshake
You're starting it too early. Give "x starttls" command first.
Hi Tio,
Thank you very much for your quick answer. Same error: gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. 9 STARTTLS 9 OK Begin TLS negotiation now.
*** Starting TLS handshake *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed root@s13:/home/lucas# gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. *** Starting TLS handshake 2 STARTTLS
*** Non fatal error: Resource temporarily unavailable, try again. *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed
Any other test?
Regards, Lucas
On 02/02/2011 22:16, Timo Sirainen wrote:
On Wed, 2011-02-02 at 21:28 +0100, Lucas -LandM- wrote:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. *** Starting TLS handshake
You're starting it too early. Give "x starttls" command first.
On Wed, 2011-02-02 at 22:47 +0100, Lucas -LandM- wrote:
Same error: gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. 9 STARTTLS 9 OK Begin TLS negotiation now.
*** Starting TLS handshake *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed
Try connecting from localhost. Maybe you have a broken proxy/firewall in the middle.
Hi Timo,
From other server: gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. 9 starttls 9 OK Begin TLS negotiation now. *** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
- Using prime: 1032 bits
- Secret key: 1016 bits
- Peer's public key: 1024 bits
- Certificate type: X.509
Got a certificate list of 1 certificates.
Certificate[0] info:
The hostname in the certificate does NOT match 'ip'.
Server log: Feb 2 22:10:07 s13 dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [83.170.89.109] Feb 2 22:10:07 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [83.170.89.109] Feb 2 22:10:07 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read certificate verify A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [83.170.89.109] Feb 2 22:10:08 s13 dovecot: imap-login: Disconnected (no auth attempts): rip=83.170.89.109, lip=109.200.5.221, TLS: Disconnected
Same error in thunderbird :( Feb 2 22:12:44 s13 dovecot: imap-login: Disconnected (no auth attempts): rip=83.61.13.57, lip=ip, TLS handshaking: Disconnected
Regards, Lucas
On 02/02/2011 23:03, Timo Sirainen wrote:
On Wed, 2011-02-02 at 22:47 +0100, Lucas -LandM- wrote:
Same error: gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. 9 STARTTLS 9 OK Begin TLS negotiation now.
*** Starting TLS handshake *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed
Try connecting from localhost. Maybe you have a broken proxy/firewall in the middle.
Hi Timo again,
It works right now, but only in command line approach:gnutls-cli --starttls -p 143 ip Resolving 'ip'... Connecting to 'ip:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. 1 starttls 1 OK Begin TLS negotiation now. *** Starting TLS handshake
Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1023 bits
- Peer's public key: 1021 bits
Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject
C=SP,ST=Madrid,L=Madrid,O=Dclient,OU=IMAP server,CN=imap.client.com,EMAIL=postmaster@client.com', issuerC=SP,ST=Madrid,L=Madrid,O=Dclient,OU=IMAP server,CN=imap.client.com,EMAIL=postmaster@client.com', RSA key 1024 bits, signed using RSA-SHA, activated2011-02-02 18:46:20 UTC', expires2021-01-30 18:46:20 UTC', SHA-1 fingerprint `17861d69831182042fbc1544a30cf33c4059ff06'
The hostname in the certificate does NOT match 'client'
Thunderbird loops "Checking mail server capabilities" for ever. server log: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [83.61.13.57] Feb 2 22:01:55 s13 dovecot: imap-login: Disconnected (no auth attempts): rip=83.61.13.57, lip=ip, TLS handshaking: Disconnected
Any other suggestion?
Thank you, Lucas
On 02/02/2011 22:16, Timo Sirainen wrote:
On Wed, 2011-02-02 at 21:28 +0100, Lucas -LandM- wrote:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. *** Starting TLS handshake
You're starting it too early. Give "x starttls" command first.
participants (2)
-
Lucas -LandM-
-
Timo Sirainen